On January 5, 2026, the U.S. General Services Administration (GSA) released Revision 1 of its IT Security Procedural Guide. The update outlines how Controlled Unclassified Information (CUI) must be protected when it resides in nonfederal systems operated by contractors. 

While the document is framed as procedural guidance, it introduces a more defined process for how contractors demonstrate compliance and how GSA evaluates that posture. It also marks a shift away from self-attestation of compliance to NIST 800-171 and into a model involving third party assessment. 

A more structured approach to CUI protection 

The updated guide establishes a formal process for protecting CUI in contractor-owned systems. This includes expectations around documentation, assessment, and review before a system is approved to handle CUI in support of GSA work. 

Contractors may be required to: 

• Develop and maintain formal documentation, including a System Security and Privacy Plan (SSPP) and Plan of Action and Milestones (POA&M) 
• Undergo third-party assessment of their security controls 
• Obtain GSA approval prior to performing work involving CUI 

This represents a shift toward a more standardized and reviewable approach to compliance, rather than relying solely on internal attestation. 

The five phases of GSA’s CUI approval process

The guide organizes the process into five phases that contractors should understand before handling CUI in nonfederal systems: 

1. Prepare – Identify whether CUI will be stored, processed, or transmitted in contractor systems, and begin defining the system boundary. 
2. Document – Develop required materials such as the SSPP and POA&M, and related security documentation. 
3. Assess – Complete a third-party assessment to evaluate whether applicable security requirements have been implemented. 
4. Authorize – Submit required materials for GSA review and obtain approval before the system is used to handle CUI. 
5. Monitor – Maintain the approved security posture over time through ongoing monitoring, updates, and annual reviews. 

This structure is important because it shows that GSA is not only asking contractors to implement controls. It is also defining a process for how those controls are documented, reviewed, approved, and maintained.

Alignment to NIST SP 800-171 Revision 3

One notable element of the update is GSA’s alignment to NIST SP 800-171 Revision 3. 

Many organizations are still aligned to Revision 2, which remains the current baseline for programs like CMMC. As a result, contractors may need to evaluate how their existing controls and documentation map to the newer revision when working with GSA. 

Requirements that cannot be deferred

The guide also identifies certain requirements that must be fully implemented before approval is granted. 

These are sometimes referred to as “showstoppers,” meaning they cannot be addressed through a POA&M and must be in place as part of the initial review. This reinforces the importance of understanding which controls require full implementation upfront versus those that can be remediated over time. 

Relationship to other frameworks 

Although there is overlap with other federal security frameworks, such as FedRAMP and CMMC, the GSA process is distinct. 

Organizations that have already invested in these frameworks may have a strong foundation, but they should not assume full alignment without validating against GSA’s specific expectations and approval process.Even contractors with mature compliance programs may find gaps when mapping their posture against NIST SP 800-171 Revision 3, navigating the five-phase approval process, or identifying controls that must be fully implemented upfront rather than remediated over time.  

Contractors that aren’t prepared risk losing bids or facing delays on work involving CUI. 

Key takeaways for contractors 

For contractors supporting GSA or pursuing opportunities that involve CUI, the updated guide introduces a more formalized path to demonstrating compliance. 

At a practical level, this includes: 

• Understanding where CUI exists within your systems 
• Evaluating alignment to NIST SP 800-171 Revision 3 
• Preparing documentation that reflects your current security posture 
• Planning for third-party assessment and GSA review 

Taken together, these updates reflect a more structured approach to how CUI protections are implemented and validated within the GSA ecosystem. 

How A-LIGN can help 

As both a CMMC C3PAO and FedRAMP 3PAO, A-LIGN has the assessor capabilities to help contractors navigate overlapping and evolving federal requirements. We help clients understand where their existing investments apply, where gaps exist, and what a realistic path to GSA approval looks like. 

Reach out today to evaluate your readiness for GSA’s updated CUI requirements.